Antivirus, antispyware, and other anti-malware applications seek to protect client computers by identifying harmful applications or other executable code and removing or at least neutralizing the harmful code. Current anti-malware applications (e.g., Microsoft Windows Defender, Microsoft Forefront Client Security, Microsoft OneCare, Microsoft Forefront Server for Exchange Server, and so forth) use a signature-based approach to detect viruses, worms, and spyware. One common type of malware prevention relies on inspecting the Uniform Resource Locators (URLs) or Internet Protocol (IP) addresses that a user requests (e.g., in a web browser) and blocking access to URLs that have been flagged as malicious or potentially malicious. Often, client computers are infected when a user visits a website and allows installation of “unknown software” (typically, users believe they are installing good software), so blocking access to sites known to be malicious can protect the user's computer system from infection.
Machine health state is a technology used to determine a computer system's health and determine the actions the computer system can perform based on the health of the computer system. For example, many corporate local area network (LAN) administrators define policies that each computer system meets before the policy allows a computer system to access the corporate network. For example, the administrator may define a policy that specifies a particular operating system patch or a particular antivirus definition version that is present on computer systems in the organization before the policy allows the computer systems to access the LAN.
Current web filtering technologies, either host-based (local machine) or edge-based (gateway device/server), use policies to control access to networking protocols or destinations. These policies typically use machine or user attributes known at policy authoring time, such as testing membership in a group, testing the destination or source site name, or imposing time of day restrictions for access to certain network resources.
One problem is that these protection mechanisms are often unnecessarily restrictive. Websites that allow users to create content may have many non-malicious areas of the website in addition to several malicious areas of the website. In addition, a user's job may entail visiting harmful websites (e.g., to identify illegal distribution of copyrighted material for the corporation that employs the user), and the user may be taking other precautions to prevent the risk of infecting the user's computer system. For example, the user may run the browser in a protected or sandboxed mode to prevent websites from having an effect on other elements of the computer system. The user may also run stringent antivirus software to reduce the risk of infection. In the case of machine health, a user that rarely uses a laptop may take the laptop to a presentation and want to access a website but be prevented from doing so because the user has not recently updated the laptop with patches.
At other times, traditional protection mechanisms may not be restrictive enough. For example, URL-based blocking is only as good as the list of known malicious URLs. Malware authors constantly change the domain names that host malware and thus URL-based blocking may fail to identify a malicious website for a certain period until an administrator adds that website to a list of malicious websites.